It is unclear, though, whether the MBTA can realistically buy the time it needs. Karsten Nohl, a University of Virginia PhD student who was one of the first to publish details of security vulnerabilities in MiFare Classic, the brand of wireless smart card used in Boston’s system, says solving the problems could take a year or two and might even involve replacing all card readers and all cards in circulation.
This is not the first lawsuit to hit researchers who have studied the security of MiFare Classic. Last month, Dutch company NXP Semiconductors, which makes the MiFare cards, sued a Dutch university in an attempt to prevent researchers there from publishing details of similar security flaws. The injunction did not succeed, but as RFID technology continues to proliferate, other security experts are concerned about being able to discuss relevant security research openly.
Bruce Schneier, chief security technology officer at BT Counterpane, says the latest lawsuit only distracts from what’s really at stake. “MiFare sold a lousy product to customers who didn’t know how to ask for a better product,” he says. “That will never get fixed as long as MiFare’s shoddy security is kept secret.” He adds, “The reason we publish vulnerabilities is because there’s no other way for security to improve.”
The same brand of RFID card is used on transport networks in other cities, including London, Los Angeles, Brisbane, and Shanghai, as well as for corporate and government identity passes. The technology has even been incorporated into some credit cards and cell phones.
Nohl says the industry should view the MIT students’ work as a free service that could ultimately lead to better security. Although there has been plenty of academic research on the security of RFID, he says, little has yet made its way into products. “The core of the problem is still industry’s belief that they should build security themselves, and that what they’ve built themselves will be stronger if they keep it secret,” Nohl says.
Meanwhile, independent researchers have come up with a number of ideas for improving the security of RFID cards. Nohl and others are researching better ways of encrypting the information stored on the cards. But part of the problem is that the cards are passive, meaning that they will return a signal to any reader that sends a request. Tadayoshi Kohno and colleagues at the University of Washington are also working on a motion-sensing system that would let users activate their cards with a specific gesture, so that it does not normally respond to requests. Karl Koscher, one of the researchers who worked on the project, says their system is aimed at increasing security without destroying the convenience that has made the cards so popular.